lacework-global-41
1.12 Ensure credentials unused for 45 days or greater are disabled (Automated)
Profile Applicability
• Level 1
Description
AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.
Rationale
Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
Audit
Perform the following to determine if unused credentials exist:
From Console
- Login to the AWS Management Console
- Click
Services
- Click
IAM
- Click on
Users
- Click the
Settings
(gear) icon. - Select
Console last sign-in
,Access key last used
, andAccess Key Id
- Click on
Close
- Check and ensure that
Console last sign-in
is less than 45 days ago.
Note - Never
means the user has never logged in.
- Check and ensure that
Access key age
is less than 45 days and thatAccess key last used
does not sayNone
If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation.
From Command Line
Download Credential Report:
- Run the following commands:
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16
Ensure unused credentials do not exist:
- For each user having
password_enabled
set toTRUE
, ensurepassword_last_used_date
is less than45
days ago.
- When
password_enabled
is set toTRUE
andpassword_last_used
is set toNo_Information
, ensurepassword_last_changed
is less than 45 days ago.
- For each user having an
access_key_1_active
oraccess_key_2_active
toTRUE
, ensure the correspondingaccess_key_n_last_used_date
is less than45
days ago.
- When a user having an
access_key_x_active
(where x is 1 or 2) toTRUE
and corresponding access_key_x_last_used_date is set toN/A', ensure
access_key_x_last_rotated` is less than 45 days ago.
Remediation
From Console
Perform the following to manage Unused Password (IAM user console access)
- Login to the AWS Management Console:
- Click
Services
- Click
IAM
- Click on
Users
- Click on
Security Credentials
- Select user whose
Console last sign-in
is greater than 45 days - Click
Security credentials
- In section
Sign-in credentials
,Console password
clickManage
- Under Console Access select
Disable
10.ClickApply
Perform the following to deactivate Access Keys:
- Login to the AWS Management Console:
- Click
Services
- Click
IAM
- Click on
Users
- Click on
Security Credentials
- Select any access keys that are over 45 days old and that have been used and
- Click on
Make Inactive
- Select any access keys that are over 45 days old and that have not been used and
- Click the X to
Delete
References
CCE-78900-8
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html